#KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).

github.com/SecurityAura...

Huge thanks to @RacWatchin8872 (on Twitter/X) for making the data available in a way that can be accessed via externaldata 🙏

Forgot to post it here but:

Finally took the time to write a quick blog post on my #100DaysOfKQL challenge.

medium.com/@securityaur...

tl;dr: I'm never doing anything like this again, at least, not before I have a LOT more free time than I have now. But very happy to have gone through with it!

I'll probably never do another 100Days challenge again because man, that thing is taxing. However, I do plan to continue posting KQL queries in that repo and even enhance the ones that were posted during that challenge.

Thank you to everyone who supported me! See you soon!

So stay tuned for it!

In the meantime, I hope that these queries helped you in some way: detection, hunting, learning some KQL operators/functions, serve as base ideas for more complex queries or even give you a starting point to learn KQL.

(cont)

This challenge ended right on time, as I'm about to embark on a SANS training starting tomorrow, which means, I wouldn't have any time next week to work on this. Life is funny sometimes.

As mentioned previously, I'll be publishing a blog post reflecting on that challenge.
(cont)

#100DaysOfKQL

Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process

IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.

(cont)

t.co/lwO1hmrqUk

#100DaysOfKQL

Day 99 - RDP Connection to X New Devices In The Last X Day by User

One more to go! Basic investigative query that you can use as a starting point to dig into recent, new RDP activity per user.

github.com/SecurityAura...

#100DaysOfKQL

Day 98 - Execution from a Low Prevalence, Non-Signed or Invalidly Signed Binary from C:\Windows

I promise you I'm going somewhere with all these FileProfile() queries. Gotta wait a bit more.

github.com/SecurityAura...

#100DaysOfKQL

Day 97 - PowerShell ComObject Interaction

I wish I was getting some $ kickbacks from ClickFix for their queries 🥲 In the latest variant that I've seen, they basically throw everything in the book:

PowerShell
curl
WScript[.]Shell
cscript

github.com/SecurityAura...

#100DaysOfKQL

Day 96 - certutil.exe Used to Decode a File into a PE

Harshly remembered that this technique exists ... because of a CSAT tool.

IYKYK.

github.com/SecurityAura...

#100DaysOfKQL

Day 95 - Logon Attempts from LDAP Bind Accounts to Systems other than DCs

MDI query will be provided later because life throws unexpected stuff at you sometime.

Perfect for those edge devices that keeps getting popped, uh, keeping TAs out

github.com/SecurityAura...

#100DaysOfKQL

Day 94 - Archive Created at the Root of a Drive

Another query to detect something threat actors do which I consider more of a default (to not say lazy) behavior than anything else.

Always fun to see if these archives still exists in an IR

github.com/SecurityAura...

#100DaysOfKQL

Day 93 - PowerShell IEX or Invoke-Expression

Today's query is sponsored by ClickFix and that one purple EDR who looks even more shady than ClickFix because of what you can catch it doing with this.

github.com/SecurityAura...

#100DaysOfKQL

Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder

Thanks to today's #ClickFix / #Lumma (#LummaStealer) infection combo for giving me an idea!

github.com/SecurityAura...

#100DaysOfKQL

Day 91 - Large EXE or MSI File Observed in User Downloads Folder

Featuring a shoutout to debloat by the awesome @squiblydoo.bsky.social ! Go check it out (and also his certReport tool, #ImposeCost as they say)

github.com/SecurityAura...

#100DaysOfKQL

Day 90 - Network Connection from MSBuild.exe with ASN Enrichment

10 more days (and queries) to go! We're almost at the finish line!

Seen MSBuild.exe being (ab)used so many times. Spotted in a random SecTopRAT incident today.

github.com/SecurityAura...

#100DaysOfKQL

Day 89 - WmiPrvSE.exe Launching Command Executed Remotely

May be renamed in the future because now that I look at it, it's weird but whatever.

Probably the first (?) non-Defender XDR, Entra ID or M365 centric entry in my 100DaysOfKQL.

github.com/SecurityAura...

#100DaysOfKQL

Day 88 - ESENTUTL Used to Copy a File

Another one for the "man, ntds.dit is locked, how can i access it and get it out of that system?" Threat Actor crowd.

Or OffSec crowd, I don't judge.
Or Blue Team wanting to get dem Web DBs out👀

github.com/SecurityAura...

#100DaysOfKQL

Day 87 - Command Line Interpreter Launched as Service

Cobalt Strike goes brrrr. Probably one of the most basic thing you can observe from it if you're lucky enough to have EDR, Sysmon or EID 4688 on IRs.

PS: I'm never that lucky.

github.com/SecurityAura...

#100DaysOfKQL

Day 86 - Summarized Processes Launched by PowerShell or Command Line Scripts

More of an investigative query which gives you a "clean" output which makes it easier to see and understand what a script (or multiple scripts) does.

github.com/SecurityAura...

#100DaysOfKQL

Day 85 - Command Line Spawned by Microsoft SQL Server

The thing that almost ruined my Friday night.

Remember kids, deconflicting between OffSec and Defenders is important 🤝

github.com/SecurityAura...

#100DaysOfKQL

Day 84 - CLR DLLs Loaded by Process with Low Prevalence

The day FileProfile() becomes available in Sentinel is the day everyone is going to abuse the hell out of it.

github.com/SecurityAura...

#100DaysOfKQL

Day 83 - Password Accessed By User in Google Chrome or Microsoft Edge

Little behavior I learned about while doing some Threat Hunting for runas-like events.

You can spot users within your orgs that uses these browsers' Password Managers

github.com/SecurityAura...

#100DaysOfKQL

Day 82 - File Downloaded from Uncommon TLD

A little follow-up, with a twist, to Day 81 query. A bit different now since we have more events with URLs to play with.

Can also play with FileOriginReferrerUrl if needed? 👀

github.com/SecurityAura...

#100DaysOfKQL

Day 81 - Executable File or Script Fetched during Network Connection

Fun little query which can be expanded upon (winkwink DeviceFileEvents) to see files that are fetched during network connections (HTTP only AFAIK).

github.com/SecurityAura...

#100DaysOfKQL

Day 80 - mshta.exe Executing Raw Script From Command Line

Some something about mshta.exe today that reminded me this. Poweliks used to be all the rage back when I was on teh forums and it used that as persistence in the Run key.

Memories.

github.com/SecurityAura...

#100DaysOfKQL

Day 79 - PowerShell Process Launching PowerShell Process with Encoded Command

Similar to PowerShell launching cmd.exe, seeing encoded PowerShell launching itself, or PowerShell launching another PowerShell with -Encoded is interesting.

github.com/SecurityAura...

#100DaysOfKQL

Day 78 - Sign-In Events From IP Address Associated With Malicious Domain

A rare investigative query appears in front of your eyes with a very ugly hack that I'll fix later but this week has been quite draining so pls forgive.

github.com/SecurityAura...

#100DaysOfKQL

Day 77 - Database Dump To Disk via sqlcmd.exe

First time seeing this from a Ransomware actor, so quite interesting.

Not talking about using sqlcmd.exe, but using it to dump tables to disk and then exfil them.

github.com/SecurityAura...

#100DaysOfKQL

Day 76 - Cloudflared Usage

This query of the day may or may not be sponsored by the current ransomware engagement I'm working on.

Will let you guess (but not confirm) which group that is.

Also: no metadata on cloudflared.exe :(

github.com/SecurityAura...